Security system for network address translation systems

ABSTRACT

A system and method are provided for translating local IP addresses to globally unique IP addresses. This allows local hosts in an enterprise network to share global IP addresses from a limited pool of such addresses available to the enterprise. The translation is accomplished by replacing the source address in headers on packets destined for the Internet and by replacing destination address in headers on packets entering the local enterprise network from the Internet. Packets arriving from the Internet are screened by an adaptive security algorithm. According to this algorithm, packets are dropped and logged unless they are deemed nonthreatening. DNS packets and certain types of ICMP packets are allowed to enter local network. In addition, FTP data packets are allowed to enter the local network, but only after it has been established that their destination on the local network initiated an FTP session.

This application is a continuation of U.S. application Ser. No.08/552,807 filed Nov. 3, 1995 now U.S. Pat. No. 5,793,763.

BACKGROUND OF THE INVENTION

The present invention relates to address translation systems for mappinglocal Internet Protocol IP addresses used by hosts on a private networkto globally unique IP addresses for communication with hosts on theInternet. The address translation systems have adaptive securitymechanisms to protect the private network from certain packet types sentfrom the Internet.

Private networks are commonly connected to the Internet through one ormore routers so that hosts (PCs or other arbitrary network entities) onthe private network can communicate with nodes on the Internet.Typically, the host will send packets to locations both within itsprivate network and on the Internet. To receive packets from theInternet, a private network or a host on that network must have aglobally unique 32-bit IP address. Each such IP address has a four octetformat. Typically, humans communicate IP addresses in a dotted decimalformat, with each octet written as a decimal integer separated fromother octets by decimal points.

Global IP addresses are issued to enterprises by a central authorityknown as the Internet Assigned Number Authority (“IANA”). The IANAissues such addresses in one of three commonly used classes. Class A IPaddresses employ their first octet as a “netid” and their remainingthree octets as a “hostid.” The netid identifies the enterprise networkand the hostid identifies a particular host on that network. As threeoctets are available for specifying a host, an enterprise having class Aaddresses has 2²⁴ (nearly 17 million) addresses at its disposal for usewith possible hosts. Thus, even the largest companies vastly underuseavailable class A addresses. Not surprisingly, Class A addresses areissued to only very large entities such as IBM and ATT. Class Baddresses employ their first two octets to identify a network (netid)and their second two octets to identify a host (hostid). Thus, anenterprise having class B addresses can use those addresses onapproximately 64,000 hosts. Finally, class C addresses employ theirfirst three octets as a netid and their last octet as a hostid. Only 254host addresses are available to enterprises having a single class Cnetid.

Unfortunately, there has been such a proliferation of hosts on theInternet, coupled with so many class A and B licenses issued to largeentities (who have locked up much address space), that it is now nearlyimpossible to obtain a class B address. Many organizations now requiringInternet access have far more than 254 hosts' —for which unique IPaddresses are available with a single class C network address. It ismore common for a mid to large size enterprise to have 1000 to 10,000hosts. Such companies simply can not obtain enough IP addresses for eachof their hosts.

To address this problem, a Network Address Translation (“NAT”) protocolhas been proposed. See K. Egevang and P. Francis, “The IP NetworkAddress Translator (NAT),” Request For Comments: “R.F.C.” 1631, CrayCommunications, NTT, May 1994 which is incorporated herein by referencefor all purposes. NAT is based on the concept of address reuse byprivate networks, and operates by mapping the reusable IP addresses ofthe leaf domain to the globally unique ones required for communicationwith hosts on the Internet. In implementation, a local host wishing toaccess the Internet receives a temporary IP address from a pool of suchaddresses available to the enterprise (e.g., class C 254 addresses).While the host is sending and receiving packets on the Internet, it hasa global IF address which is unavailable to any other host. After thehost disconnects from the Internet, the enterprise takes back its globalIP address and makes it available to other hosts wishing to accessoutside networks.

To implement a NAT, a translation system must be provided between theenterprise private network and the Internet. By virtue of this location,the translation must act as a firewall to protect the local privatenetwork from unwanted Internet packets. In view of this requirement, itwould be desirable to have a system which employs NAT and provides asecure firewall.

SUMMARY OF THE INVENTION

The present invention provides a system which employs NAT in conjunctionwith an adaptive security algorithm to keep unwanted packets fromexternal sources out of a private network. According to this algorithm,packets are dropped and logged unless they are deemed nonthreatening.Domain Name System “DNS” packets and certain types of Internet ControlMessage Protocol “ICMP” packets are allowed to enter local network. Inaddition, File Transfer Protocol “FTP” data packets are allowed to enterthe local network, but only after it has been established that theirdestination on the local network initiated an FTP session.

These and other features and advantages of the present invention will bepresented in more detail in the following specification of the inventionand the figures.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a computer system for implementing theprocesses of a Network Address Translation system in accordance withthis invention.

FIG. 2 is a schematic diagram of a private network segment connected tothe Internet via a NAT system of this invention.

FIG. 3 is a process flow diagram showing generally the steps involved intransmitting an outbound packet through a NAT system to the Internet inaccordance with this invention.

FIG. 4A is a schematic illustration of a translation slot and associatedfields in accordance with this invention.

FIG. 4B is a schematic illustration of a connection slot and associatedfields in accordance with this invention.

FIG. 5 is a process flow diagram showing generally how an inbound packetis treated by a NAT system of this invention.

FIG. 6 is a process flow diagram illustrating in some detail thesecurity features employed to screen inbound packets destined for alocal host having a static translation slot.

FIG. 7 is a process flow diagram depicting a process for screening UDPpackets destined for a local host having a static translation slot.

FIG. 8 is a process flow diagram depicting a process for screening TCPpackets destined for a local host having a static translation slot.

FIG. 9 is a process flow diagram depicting those steps that may beemployed to screen for FTP data destined for a private network.

FIG. 10 is a process flow diagram depicting generally a securityalgorithm for screening packets destined for a local host having adynamic translation slot.

FIG. 11 is a process flow diagram depicting a process for screening UDPpackets destined for a local host having a dynamic translation slot.

FIG. 12 is a process flow diagram depicting a process for screening TCPpackets destined for a local host having a dynamic translation slot.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

1. Definitions

The following terms are used in the instant specification. Theirdefinitions are provided to assist in understanding the preferredembodiments described herein.

A “host” is a PC or other arbitrary network entity residing on a networkand capable of communicating with entities outside of its own networkthrough a router or bridge.

A “router” is a piece of hardware which operates at the network layer todirect packets between various nodes of one or more networks. Thenetwork layer generally allows pairs of entities in a network tocommunicate with each other by finding a path through a series ofconnected nodes.

A “packet” is a collection of data and control information includingsource and destination node addresses and source and destination ports.The octet of destinations and ports make every connection and packetunique.

2. Overview

The invention employs various process steps involving data manipulation.These steps require physical manipulation of physical quantities.Typically, these quantities take the form of electrical or magneticsignals capable of being stored, transferred, combined, compared, andotherwise manipulated. It is sometimes convenient, principally forreasons of common usage, to refer to these signals as bits, values,variables, characters, data packets, or the like. It should beremembered, however, that all of these and similar terms are to beassociated with the appropriate physical quantities and are merelyconvenient labels applied to these quantities.

Further, the manipulations performed are often referred to in terms,such as translating, running, selecting, specifying, determining, orcomparing. In any of the operations described herein that form part ofthe present invention, these operations are machine operations. Usefulmachines for performing the operations of the present invention includegeneral purpose and specially designed computers or other similardevices. In all cases, there should be borne in mind the distinctionbetween the method of operations in operating a computer or otherprocessing device and the method of computation itself. The presentinvention relates to method steps for operating a Network AddressTranslation system in processing electrical or other physical signals togenerate other desired physical signals.

The present invention also relates to an apparatus for performing theseoperations. This apparatus may be specially constructed for the requiredpurposes, or it may be a general purpose programmable machineselectively activated or reconfigured by a computer program stored inmemory. The processes presented herein are not inherently related to anyparticular computer or other apparatus. In particular, various generalpurpose machines may be used with programs written in accordance withthe teachings herein, or it may be more convenient to construct a morespecialized apparatus to perform the required method steps. The generalstructure for a variety of these machines will appear from thedescription given below.

Still further, the present invention relates to machine readable mediaon which are stored program instructions for performing operations on acomputer. Such media includes by way of example magnetic disks, magnetictape, optically readable media such as CD ROMs, semiconductor memorysuch as PCMCIA cards, etc. In each case, the medium may take the form ofa portable item such as a small disk, diskette, cassette, etc., or itmay take the form of a relatively larger or immobile item such as a harddisk drive or RAM provided in a computer.

FIG. 1 shows a typical computer-based system which may be used as asecure Network Address Translation system of the present invention.Shown is a computer 10 which comprises an input/output circuit 12 usedto communicate information in appropriately structured form to and fromthe parts of computer 10 and associated equipment, a central processingunit 14, and a memory 16. These components are those typically found inmost general and special purpose computers 10 and are intended to berepresentative of this broad category of data processors.

Connected to the input/output circuit 12 are inside and outside highspeed Local Area Network interfaces 18 a and 18 b. The inside interface18 a will be connected to a private network, while the outside interface18 b will be connected to an external network such as the Internet.Preferably, each of these interfaces includes (1) a plurality of portsappropriate for communication with the appropriate media, and (2)associated logic, and in some instances (3) memory. The associated logicmay control such communications intensive tasks as packet integritychecking and media control and management. The high speed interfaces 18a and 18 b are preferably multiport Ethernet interfaces, but may beother appropriate interfaces such as FDDI interfaces, etc.

The computer system may also include an input device (not shown) such asa keyboard. A flash memory device 22 is coupled to the input/outputcircuit 12 and provides additional storage capability for the computer10. The flash memory device 22 may be used to store programs, data andthe like and may be replaced with a magnetic storage medium or someother well known device. It will be appreciated that the informationretained within the flash memory device 22, may, in appropriate cases,be incorporated in standard fashion into computer 10 as part of thememory 16.

In addition, a display monitor 24 is illustrated which is used todisplay the images being generated by the present invention. Such adisplay monitor 24 may take the form of any of several well-knownvarieties of cathode ray tube displays and flat panel displays or someother type of display.

Although the system shown in FIG. 1 is a preferred computer system ofthe present invention, the displayed computer architecture is by nomeans the only architecture on which the present invention can beimplemented. For example, other types of interfaces and media could alsobe used with the computer.

FIG. 2 shows a network arrangement 32 employing a network addresstranslation system 34 of the present invention. Translation system 34acts as a connection between an enterprise network 36 and the Internet38. On the Internet side, translation system 34 connects to an Internetrouter 40 via a line 42. Internet router 40, in turn, connects toInternet destinations 44 through a line 46. On the enterprise networkside, translation system 34 connects to a router 48 via a line 50.Router 48 is, in turn, linked to various nodes on the enterprise network36 including node 52 (via line 54) and node 56 (via line 58).

As an example, assume that node 52 sends packets 60 a and 60 b to router48 along line 54. Packet 60 a is destined for the Internet as indicatedby a packet header 62. In contrast, packet 60 b is destined to for anode on the enterprise network as indicated by packet header 64. Uponreceiving packets 60 a and 60 b, router 48 then routes packet 60 b alongline 58 to node 56 and routes packet 60 a along line 50 to translationsystem 34.

To this point, the system behaves consistent with most conventionalnetworking protocols. However, packet 60 a contains source address 66which is not a globally unique IP address. Therefore, node 52 can notexpect a reply from the Internet destination of packet 60 a. To remedythis problem, packet 60 a is routed through translation system 34 whichmodifies the packet so that it can establish a connection with a desiredInternet destination. Specifically, when data packet 60 a reachestranslation system 34, its local source address 66 is replaced with anauthorized global IP source address 68 selected from a pool of availableglobal IP addresses 70. Pool 70 includes all or some subset of theglobal IP source addresses allocated to enterprise network 36.

After packet 60 a has been retooled with global IP address 68,translation system 34 sends it along line 42 to Internet router 40.Router 40 then forwards it to the appropriate destination. Thereafterthe Internet destination can reply with a packet of its own destined forglobal IP address 68. Upon receipt of such packet, translation system 34will determine if it presents a security risk. If not, it will replaceaddress 68 on the inbound packet with the local address of node 52 andthen forward the modified packet to router 48. After the node 52finishes its Internet session, address 68 may be made available to othernodes desiring Internet access. In this manner, a relatively smallnumber of global IP addresses can be used by a much larger network ofhosts.

3. Processing of Packets Received by the NAT System

The methods of this invention apply a security algorithm to networkaddress translation. The basic address translation methodolgy may bedirectly adapted from RFC 1631, previously incorporated by reference.

FIG. 3 details a process 90 that may be employed by network addresstranslation system 34 upon receipt of packet from enterprise network 36.Such outbound packets are received at the inside interface 18 a ofsystem 34. The process begins at 94 and in a decision step 96 determineswhether an outbound packet has been received from a host on enterprisenetwork 36. If not, the system simply awaits receipt of such packet. If,on the other hand, such packet was indeed received, a decision step 98determines whether the host sending the packet is listed in a table ofallocated translation slots. This table includes a list of global andlocal IP addresses for all hosts that have a translation slot opened.Translation slots will be described in more detail below. For now, it issufficient to recognize that a host's local IP address will appear inthe table of allocated translation slots if a translation slot hasindeed been allocated for that host. To perform step 98, the NAT systemfirst examines the outbound packet source header to identify the localIP address, and then determines if that address is located in thetranslation slot table. If so, step 98 is answered in the affirmative.

Assuming that step 98 is in fact answered yes (i.e., the translationslot table lists the local IP source address on the packet), a processstep 106 examines the actual translation slot for the local hostidentified in the translation slot table. If on the other hand, step 98is answered in the negative (i.e., the host sending the packet is notlisted in the table of allocated translation slots), a decision step 100determines whether a new translation slot is available. If not, an erroris logged at process step 102 and the packet is dropped withouttransmission at a step 104. Thereafter, process control returns to step96, and system 34 awaits the next outbound packet. Steps 102 and 104 arenecessary because the number of translation slots is limited by thenumber of global IP addresses available to the enterprise network. Ifthe enterprise has only a single class C address collection, forexample, no more than 254 translation slots can be used at any giventime. The system of this invention does release global IP addresses(i.e., it closes translation slots and removes their entries from thetranslation slot table) after a defined timeout period. Such period maybe adjusted by the network according to the specific network'srequirements. A typical default value is 24 hours for example.

Assuming that decision step 100 is answered in the affirmative (i.e., afree translation slot exists), a process step 108 allocates one suchtranslation slot to the host sending the packet. The NAT system thefills the newly allocated slot with various pieces of relevantinformation (detailed below) including the local host's local IP addressand a global IP address selected from the pool of available addresses.In a specific embodiment, the global unique IP address selected fromthis pool is obtained by simply picking the next available addresssequentially. The NAT system also enters the global and local IPaddresses for the new translation slot in the translation slot table.

Now, regardless of how a translation slot was identified (via step 106or 108), the next step is a decision step 110 which determines whetherthe outbound packet is a Transmission Control Protocol “TCP” packet. Asknown to those of skill in the art, this determination can be made bychecking the appropriate field in the packet header. The TCP protocolrequires a connection be established before communication can becommenced.

If the outbound packet turns out not to be a TCP packet, a process step112 simply translates the IP source address on that packet. In otherwords, the private source address initially appearing on the packet isreplaced with the global unique IP address in the associated translationslot. After the IP source address has been replaced at step 112, aprocess step 114 fixes the checksums at the end of the packet.Specifically, the address translator will modify the IP checksum and theTCP checksum. Since the differences between the original and translatedversions of the packet are known, the checksums are efficiently updatedwith a simple adjustment rather than a complete recalculation. Detailsincluding sample code are provided in RFC 1631. The address translatormust also modify those parts of ICMP and PTP packets where the IPaddress appears. Next, the retooled packet is routed by translationsystem 34 to the Internet. The process is then complete at 124.

Assuming that decision step 110 determines that the packet is indeed aTCP packet, a decision step 118 then determines whether the“synchronized sequence number” SYN bit has been set in the TCP segmentof a TCP header. As known to those skill in the art, this bit is set inthe “code bits” section of the TCP header. When the SYN bit is set, itimplies that the local host is attempting to establish a connection witha host on the Internet. Assuming that the internal host is in factattempting to establish a connection, (i.e., decision step 118 isanswered in affirmative), translation system 34 creates a new connectionslot (if any are available) at a process step 120. That slot is filledinformation uniquely describing the connection: the remote IP address,the remote port number, and the local port number. Concurrentlytherewith, the new connection is registered in a “connection field” ofthe translation slot. Thereafter, process control is directed to step112 were the IP source address is translated as described above. Then,the packet checksums are corrected and the packet is routed to theInternet as described above. Assuming that decision step 118 is answeredin the negative (i.e., the SYN bit is not set), the system will assumethat a TCP session has already been synchronized and locate theconnection object associated with internal host's current connection asa step 122. This may be accomplished with a hashing algorithm forexample. Thereafter, process control is directed to step 112 where thetranslation, modification, and forwarding functions are performed asdescribed above. If the outbound packet is a TCP packet without its SYNbit set and no existing connection is open, an error has occurred.

It should be apparent from the above discussion that there isessentially no security mechanism to block outbound packets. Mostenterprises expect this behavior.

FIG. 4A is a schematic depiction of a translation slot 130 provided foruse with the system/methods of this invention. In practice, thetranslation slot takes the form of a data structure stored in memory ofthe NAT system. In the translation slot data structure, a “next” field132 holds a pointer to the next translation slot in the translation slottable. This field is updated whenever the next successive translationslot times out while the slot at issue remains. A “global” field 134provides the global unique IP address temporarily held by the hosthaving the translation slot. A “local” address field 136 specifies thelocal address of the host. The global and local address fields are setwhen the translation slot is opened and they remain fixed throughout thelife of the slot.

A “connection” field 138 contains a listing of the connection slots, ifany, appended to the translation slot. More than one connection slot maybe associated with a given translation slot, as many users may be usinga given host to access the Internet. Each associated process will haveits own connection slot. The connection field 138 is updated each time anew connection slot is opened or timed out. Next, a “free” field 140 isreserved for a connection slot of a static translation slot. A “stamp”field 142 provides a time stamp indicating when the translation slotlast sent or received a packet. Thus, the stamp field is updated eachtime an Internet packet passes from or to the local host. This is usedfor purposes of timing out a translation slot.

Next, a “flags” field 144 contains one or more flags that may be set inconnection with the translation slot 130. Examples of such flags includea “static flag” to be set when the translation slot is a “static” rather“dynamic” translation slot. This distinction will be discussed in moredetail below. Another flag is a “port” flag to be set when a portcommand is issued by a local host initiating an FFP session. The UserDatagram Protocol “UDP” field 146 and the “TCP Holes” field 148 specify“conduits” or exceptions to the adaptive security algorithm of thisinvention. These conduits which apply only to static translation slotswill be discussed in more detail below. The UDP Holes and TCP Holesfields are set by the system administrator when configuring the systemwith static translation slots.

FIG. 4B is a schematic depiction of a connection slot 160 which may beappended to a translation slot as described above. In this slot, a“next” field 162 holds a pointer to the next connection slot associatedwith the appropriate translation slot. Next, a “flags” field 164contains any flags associated with the connection slot. A “faddr” field166 specifies an address for the foreign host to which the connection ismade. A “fport” field 168 specifies a port of the foreign host. As isknown to those of skill in the art, a port is a TCP/IP transportprotocol used to distinguish among multiple destinations within a givenhost computer. Some destinations are reserved for standard services suchas e-mail. Next, an “lport” field 170 specifies a port number for thelocal host. Values are provided to fields 166, 168, and 170 when theconnection slot is opened and these fields remain unchanged throughoutthe life of the connection slot.

A “delta” field 172 specifies an adjustment (delta) to the TCP sequencenumber as required for address translation in FTP connections. This isbecause FTP PORT command arguments include an IP address in ASCII.Substituting the ASCII IP address may change the packet size. The deltavalue specifies by how much the sequence number must be adjusted toaccount for any difference in packet size due to substitution of theASCII number. Field 172 must be updated everytime a PORT command isissued. Next, a “stamp” field 174 specifies the time that the connectionwas last used. This is used for timing out a connection slot. An “xfer”field 176 specifies the total number of bytes transferred while theconnection slot is open. The value in this field will continue to growas more packets are sent and received over the connection. Finally, a“start” field 178 specifies the time that the connection was created.

The process by which translation system 34 handles inbound packets fromthe Internet (and arriving at NAT system outside interface 18 b) isdepicted in a process flow diagram 200 shown in FIG. 5. It should beunderstood that this procedure includes an adaptive security algorithmthat does not block outbound packets. In a preferred embodiment,adaptive security follows these rules:

1. Allow any TCP connections that originate from the inside network.

2. Ensure that if an FTP data connection is initiated to a translationslot, there is already an FTP control connection between thattranslation slot and the remote host. Also ensure that a port commandhas been issued between the same two hosts. If these criteria are notmet, the attempt to initiate an FTP data connection is dropped andlogged.

3. Prevent the initiation of a TCP connection to a translation slot fromthe outside. The offending packet is dropped and logged.

4. Allow inbound UDP packets only from DNS. NFS is explicitly denied.

5. Drop and log source routed IP packets sent to any translation slot onthe translation system.

6. Allow only ICMP of types 0, 3, 4, 8, 11, 12, 17 and 18.

7. Ping requests from outside to dynamic translation slots are silentlydropped.

8. Ping requests to static translation slots are answered.

Process 200 begins at 202 and then a decision step 204 determineswhether an inbound packet has been received. If not, the system simplyawaits receipt of such packet. When such packet is received, a decisionstep 206 determines whether a translation slot exists for the global IPdestination address on the packet. If no such translation slot exists,it is impossible to discern which local host is the intended recipientof the packet. Thus, a process step 208 drops and logs the packet. Thismeans that the inbound packet never reaches the enterprise network 36and its content is logged for post-mortum evaluation by a networkadministrator.

Assuming that decision step 206 is answered in the affirmative (i.e., atranslation slot exists for the incoming packet), a decision step 210determines whether that translation slot references a statictranslation. A static translation slot “hard-wires” to a given internalhost machine a globally unique IP address that does not time out. Thus,the host machine maintains an ongoing mapping of its local address to aspecific global IP address held by the enterprise. This may beappropriate for internal hosts acting as Internets servers (email,anonymous FTP, World-Wide Web etc.). For all practical purposes, thehost machine having the static connection slot appears to be astand-alone “wide open” node on the Internet. As explained in moredetail below, static translation slots unlike dynamic translation slotscan have conduits or exceptions to the adaptive security algorithmoutlined below.

If decision step 210 is answered in the negative, it can be assumed thetranslation slot associated with the inbound packet is a dynamictranslation slot. In that case, a process step 212 will handle theinbound packet according to a specific algorithm for dynamictranslations (see FIG. 10 as discussed below). Thereafter, the processis completed at 230.

Assuming that decision step 210 is answered in the affirmative (i.e.,the translation slot is static translation slot), a decision step 214determines whether the inbound packet is an ICMP frame. As known tothose of skill in the art, ICMP packets are used, for among purposes, tohandle error and control messages. Many ICMP functions do not pose asecurity danger. However, others such as a “redirect” (which changes aroute in a routing table) pose potential security risks. Thus, if theinbound packet is an ICMP packet a decision step 216 determines whetherthat packet is of an approved type. Assuming that the ICMP packet is notof an approved type, a process step 218 drops and logs the packet asdescribed above (in the context of step 208). Thereafter, the process iscompleted at 230.

Assuming that decision step 216 determines that the ICMP packet is of anapproved type, a process step 220 translates the inbound packet byreplacing the global IP address with a local IP address provided in thestatic translation slot for the local host receiving the inbound packet.In addition, the system will fix the checksums in the packet asappropriate based upon the address change. Thereafter, at a step 222,the translated inbound packet is forwarded to the local host and theprocess is completed at 230.

If decision step 214 determines that the inbound packet is not an ICMPpacket, a decision step 224 determines whether a “secure flag” is setfor the static translation. This can be determined by simply looking athe appropriate field in the static translation slot (field 144)associated with the destination host. Enterprise hosts having statictranslation slots may or may not employ the adaptive security mechanismsof the present invention. It is up to the user or administrator toconfigure such hosts appropriately (by setting the secure flag ifadaptive security is to be employed). Assuming that decision step 224 isanswered in the negative (i.e., the secure flag is not set), processcontrol is directed to step 220 where the inbound packet is translatedas described above. Thereafter, the packet is forwarded at step 222 andthe process is completed as described above.

If decision step 224 determines that the secure flag is set in thestatic translation slot, the system will scrutinize the inbound packetaccording to the adaptive security mechanism at a step 226.Specifically, step 226 will test the inbound packet to determine whetherit meets certain “UDP” and “TCP” security criteria. If the stepdetermines that the inbound packet does not pose a security risk, it istranslated and forwarded at steps 220 and 222 as described above. If,however, the inbound packet is found to pose a security risk, it isdropped and logged at a step 228 before the process is completed at 230.

As noted, only certain “nonthreatening” types of ICMP messages will beaccepted. Following this paragraph is a list of some ICMP message types.In a preferred embodiment, only types 0, 3, 4, 8, 11, 12, 17 and 18 areallowed. This implies that ICMP redirects (type 5) and others are deniedby the adaptive security mechanism.

Type Field ICMP Message Type 0 Echo Reply 3 Destination Unreachable 4Source Quench 5 Redirect (change a route) 8 Echo Request 11 TimeExceeded for a Datagram 12 Parameter Problem on a Datagram 13 TimestampRequest 14 Timestamp Reply 15 Information Request 16 Information Reply17 Address Mask Request 18 Address Mask Reply

The process of determining whether an inbound packet meets the UDP andsecurity criteria of this invention (step 226 of FIG. 5) is depicted inFIG. 6. process begins at 240 and in a decision step 242 determineswhether inbound packet is a UDP packet. As known to those of skill art,this information can be readily discerned by checking the appropriatefield of an IP datagram header. Assuming that the system determines thatthe inbound packet is indeed a UDP packet, a decision step 224determines whether that packet meets specified UDP security criteria. Ifso, the process is completed at 250 with the packet being made availablefor translation for an forwarding as described with reference to FIG. 5.If, however, decision step 244 determines that the UDP packet does notmet the required security criteria, the process is completed at 252 withthe UDP packet being dropped and logged as described with respect tostep 228 of FIG. 5.

Assuming that decision step 242 determines that the datagram structureof the inbound packet is not a UDP packet, a decision step 246determines whether that datagram is a TCP packet. If so, a decision step248 determines whether TCP packet meets the TCP security criteriaprovide for the translation system. If so, the process is completed at250 as described above. If not, the process is completed at 252 asdescribed above. Finally, if decision step 246 is answered in thenegative (i.e., the inbound packet is neither a UDP nor a TCP packet),the process is completed at 252 as described above.

The process of the determining whether an inbound UDP packet meets thespecified UDP security criteria (step 244 of FIG. 6) is detailed in FIG.7. The process begins a 260, and in a step 262 determines whether any“conduits” exists in the adaptive security mechanism associated with thestatic translation slot of interest. As described in more detail below,conduits are exceptions to the adaptive security rules described hereinAssuming that no such conduits exists, a decision step 264 determineswhether the destination port number is greater than 1024. This impliesthat the destination is a “nonprivileged” port, and there is aprobability that the inbound packet is a normal return packet for UDP.Specifically, the packet may be a reply to a DNS (domain name service)request by a local host. If decision step 264 is answered in theaffirmative, a decision step 266 determines whether the destination portis equal to value of 2049. If so, this implies that the inbound packetis an NFS (network file system) packet which should not be accepted. Asis known to those of skill in the art, NFS packets are employed toaccess an external computer's file system as if it was local. Suchaccess from the Internet is clearly inconsistent with the security goalsof this invention. Therefore the process is completed at 274 with thepacket being dropped and logged pursuant to step 228 of FIG. 5. If,however, decision step 266 is answered in the negative (i.e, thedestination is not equal to 2049), a decision step 268 determineswhether the source port value is equal to 53. This implies that theinbound packet is a DNS packet which should be accepted so that thelocal host can access a remote host by name. Thus, if decision step 268is answered in the affirmative, the process is completed at 272 with thepacket being translated in accordance with step 220 of FIG. 5.

The immediately preceding steps allow only those packets having a largedestination port (>1024) and a source port equal to 53. This isconsistent with DNS requests initiated by the local host.

Assuming that decision step 264 determines that the destination portvalue is not greater than 1024, a decision step 270 determines whetherthe destination port value is equal to 53. If so, the inbound packetmust be a DNS request packet and should be allowed in. If decision step270 is answered in the affirmative, the process is completed at 272 asdescribed above. If, on the other hand, decision step 270 is answered inthe negative, the process is completed at 274 as described above. Insummary, the function of decision steps 264 through 270 is to ensurethat the only packets allowed to cross from the Internet throughtranslation system 34 to enterprise 36 are DNS packets. NFS packets areexplicitly excluded.

If decision step 262 determines that one or more conduits exists for thestatic translation slot, a decision step 263 determines whether the UDPpacket matches any of those conduits. If so, the process is completed at272 as described above. If not, process control is directed to step 264for evaluation of the packet's destination port as described above.

As mentioned, conduits are exceptions to the general adaptive securityrules implemented on translation system 34. Such rules were summarizedabove. Each secure static translation slot will have zero or moreconduits provided therewith in the “UDP Holes” and/or “TCP Holes” fields146 and 148 (see FIG. 4A). These fields are supplied with specificconduits when the translation system is configured. Each such conduit isprovided in the format protocol: address/mask-port. The “protocol”section specifies either UDP or TCP, the “address” section specifies adestination global IP address, the net “mask” section specifies how manybits of the IP address that are to be compared in the matching step, andthe “port” section specifies a destination port value (e.g., 25 formail, 24 for Telnet, etc.). The “mask” section can be set as large orsmall as desired. For example, if an administrator wishes to allow anentire class C address group into the conduit, the mask would be set tocompare only the 24 IP address bits specifying netid. If the informationcontained in the inbound packet meets the criteria specified by aconduit, the conduit is “matched” pursuant to step 263 of FIG. 7.

Multiple exceptions may be applied to a single static translation slot(via multiple conduit commands). This allows the administrator to permitaccess from an arbitrary machine, network, or any host on the Internetto the inside host defined by the static translation slot.

FIG. 8 details the step of determining whether a TCP packet meets thespecified security criteria (step 248 of FIG. 6). The process begins at280 and in a decision step 282 determines whether a conduit exists forthe static translation slot at issue. If so, a decision step 284determines whether the information contained in the inbound packetmatches any conduit for the static translations slot. This process isconducted exactly as described with reference to decision step 263 inFIG. 7. If decision step determines that there is a conduit match, theprocess is completed at 294 with translation and forwarding of thepacket. If however, decision step 284 determines that there is noconduit match, a decision step 286 determines whether the SYN flag isset and the ACK flag is not set. If so, an external source is likelyattempting an unsolicited connection to the enterprise network. Ingeneral, such packets should not be accepted unless they are part of arequested FTP file transfer.

If decision step 282 determines that there are no conduits associatedwith the static translation slot of the destination host, processcontrol is directed to decision step 286. If the conditions of step 286are not met (i.e., either the SYN flag is not set or the ACK flag isset), a decision step 288 determines whether a connection slot existsfor the static translation slot at issue. If no such connection slotexists, it can be assumed that no connection was initiated by a host inthe enterprise network 36. Thus, if decision step 288 is answered in thenegative, the process is concluded at 296 with the packet being droppedand logged. If, however, a connection slot does exist for the statictranslation slot, a decision step 290 determines whether the port and IPsource and destination addresses of the inbound packet match those ofany connection object of the static translation slot. If no such matchis found, it can again be assumed that the internal host did notinitiate a connection requesting the inbound packet. Thus, if decisionstep 290 is answered in the negative, the process is concluded at 296with the packet being dropped and logged. If, on the other hand,decision step 290 is answered in the affirmative (that is, the port andIP addresses in the inbound packet match those of a connection object),the process is concluded at 294 with the packet being translated andforwarded.

If decision step 286 is answered in the affirmative, a decision step 292determines whether the source port value of the inbound packet equals20. A source port value of 20 indicates that an FTP (file transferprotocol) data connection is being established. If decision step 292 isanswered in the negative (i.e., the inbound packet is attempting toestablish a connection for some purpose other than sending FTP data),the process is concluded at 296 with the packet being dropped andlogged. If, however, decision step 292 is answered in the affirmative, adecision step 293 determines whether the inbound packet meets certainFTP security criteria. If so, the process is completed at 294 with thepacket being translated and forwarded. If not the process ends at 296with the packet being dropped and logged.

FIG. 9 details the process steps associated with determining whether FTPsecurity criteria have been met (step 293 of FIG. 8). The process beginsat 300 and then a decision step 302 determines whether an FTP controlconnection slot exists for the translation slot of the local host. Thiscan be determined by a destination port number of 21 in the “fport”field 168 of a connection slot for the local host (see FIG. 4B). If so,the host associated with the static translation slot has initiated anFTP control session and the inbound packet may possibly accepted. As isknown to those of skill in the art, FTP consists of two connections:first a local host logs into a remote server with a control connectionand then the remote server responds with a data connection to the localhost. Assuming that an FTP control connection slot exists, a decisionstep 304 determines whether the local host has issued a PORT command.This may be established by checking for a “port” flag in the flags fieldof the translation slot (see FIG. 4A). Assuming that such port commandhas been issued, a decision step 306 determines whether a new connectionslot is available. It is possible that the translation system 34 mayhave too many simultaneous connections to allocate a new connectionslot. That is, it is of course possible that all available connectionslots are in use. If, however, one or more additional connection slotsare available (i.e., decision step 306 is answered in the affirmative),a process step 308 creates a new connection lot for the inbound FTP datapacket. Concurrently therewith, the new connection is registered in the“connection field” of the translation slot. Thereafter the process iscompleted at 310 with the inbound packet being translated and forwarded.If any of decision steps 302, 304, or 306 are answered in the negative,the process is concluded at 312 with the packet being dropped andlogged.

As noted above in the context of FIG. 5, inbound packets that are notdestined for static translation slots may be destined for dynamictranslation slots. In fact, all translation slots are either static ordynamic. Thus, if a translation slot exists for the destination of aninbound packet, and that destination does not have a static translationslot, then it must have a dynamic translation slot. As noted inconnection with the discussion of FIG. 5, a decision step 212 determineswhether such inbound packets meet the security requirements for dynamictranslation slots. FIG. 10 details a process by which such securityrequirements are evaluated. The process begins at 320, and in a decisionstep 322 the translation system determines whether the inbound packet isan ICMP packet. If so, decision step 324 determines whether that packetcontains a “ping” request (ICMP echo message—type 8). If so, the processis completed at 338 with the inbound packet being dropped and logged. Ifon the other hand, the ICMP packet is not a ping request, a decisionstep 326 determines whether the inbound packet is one of the approvedtypes of packets. If decision step 326 determines that the inbound ICMPpacket is not one of the approved types, the process is concluded at 338with the packet being dropped and logged. If, on the other hand, theICMP packet is of an approved type, the process is concluded at 336 withthe packet being translated and forwarded.

A comparison of the processes depicted in FIGS. 5 and 10 shows that ICMPpackets are treated similarly when destined for hosts with either staticor dynamic translation slots. However, a host with a static translationslot will accept a ping request (ICMP message type 8) while a host witha dynamic translation slot will not. Thus, external sources canestablish the presence of static hosts but not dynamic hosts. This isbecause the dynamic hosts change IP addresses from time to time and areintended to be shielded behind translation system.

Returning now to FIG. 10, assuming that the inbound packet is not anICMP packet (i.e., decision step 322 is answered in the negative), adecision step 328 determines whether the inbound packet is a UDP packet.If so, a decision step 330 determines whether the inbound UDP packetmeets the security criteria appropriate for a dynamic translation slot.If so, the process is concluded at 336 with the packet being translatedand forwarded. If not, the process is concluded at 338 with the packetbeing dropped and logged.

Assuming that the inbound packet is neither an ICMP packet nor a UDPpacket (i.e., both decision steps 322 and 328 are answered in thenegative), a decision step 332 then determines whether the inboundpacket is a TCP packet. If not, the process is concluded at 338 with thepacket being dropped and logged. If, on the other hand, the packet isindeed a TCP packet, a decision step 334 determines whether that packetmeets the adaptive security criteria required of a TCP packet destinedfor a host having a dynamic translation slot. If so, the process isconcluded at 336 with the packet being translated and forwarded. If not,the process is concluded at 338 with the packet being dropped andlogged.

The UDP and TCP security criteria for inbound packets are nearlyidentical for hosts having static translation slots and hosts havingdynamic translation slots. The only difference is that hosts with statictranslation slots can have conduits or exceptions to the securitymechanism. The following discussion of FIGS. 11 and 12 will illustratethis.

The process of the determining whether an inbound UDP packet meetssecurity criteria for a dynamic slot (step 330 of FIG. 10) is detailedin FIG. 11. The process begins a 350, and a decision step 352 evaluatesthe incoming packet to determine whether its destination port number isgreater than 1024. If so, a decision step 354 determines whether thedestination port is equal to a value of 2049. If so, this implies thatthe inbound packet is an NFS (network file system) packet which shouldnot be accepted. In such cases, the process is completed at 360 with thepacket being dropped and logged. If, however, decision step 354 isanswered in the negative (i.e, the destination is not equal to 2049), adecision step 356 determines whether the source port value is equal to53. This implies that the inbound packet is a DNS packet which should beaccepted. Thus, if decision step 356 is answered in the affirmative, theprocess is completed at 362 with the packet being translated andforwarded.

Assuming that decision step 352 determines that the destination portvalue is not greater than 1024, a decision step 358 determines whetherthe destination port value is equal to 53. If so, the inbound packetmust be a DNS request packet and should be allowed in. Thus, if decisionstep 358 is answered in the affirmative, the process is completed at 362as described above. If, on the other hand, decision step 358 is answeredin the negative, the process is completed at 360 as described above. Asin the case of static translation slots, the only packets allowed tocross from the Internet through translation system 34 to enterprisenetwork 36 are DNS packets. NFS packets are explicitly excluded.

FIG. 12 details the process of determining whether a TCP packet meetsthe security criteria for a dynamic slot (step 334 of FIG. 10). Theprocess begins at 370 and in a decision step 372 examines the incomingpacket and determines whether the SYN flag is set and the ACK flag isnot set. If not, a decision step 374 determines whether a connectionslot exists for the dynamic translation slot at issue. If no suchconnection slot exists, it can be assumed that no connection wasinitiated by a host in the enterprise network 36. Thus, if decision step374 is answered in the negative, the process is concluded at 382 withthe packet being dropped and logged. If, however, a connection slot doesexist for the dynamic translation slot, a decision step 376 determineswhether the port and IP source and destination addresses of the inboundpacket match those of any connection object of the dynamic translationslot. If no such match is found, it can again be assumed that theinternal host did not initiate a connection requesting the inboundpacket. Thus, if decision step 376 is answered in the negative, theprocess is concluded at 382 with the packet being dropped and logged.If, on the other hand, decision step 376 is answered in the affirmative(that is, the port and IP addresses in the inbound packet match those ofa connection object), the process is concluded at 384 with the packetbeing translated and forwarded.

If decision step 372 is answered in the affirmative, a decision step 378determines whether the source port value of the inbound packet equals20. As noted, a source port value of 20 indicates that an FTP dataconnection is being established. If decision step 378 is answered in thenegative (i.e., the inbound packet is attempting to establish aconnection for some purpose other than sending FTP data), the process isconcluded at 382 with the packet being dropped and logged. If, however,decision step 378 is answered in the affirmative, a decision step 380determines whether the inbound packet meets certain FTP securitycriteria. If so, the process is completed at 384 with the packet beingtranslated and forwarded. If not the process ends at 382 with the packetbeing dropped and logged. The FFP security criteria referenced in step380 may be identical to those set forth in FIG. 9.

Although the foregoing invention has been described in some detail forpurposes of clarity of understanding, it will be apparent that certainchanges and modifications may be practiced within the scope of theappended claims. For example, the private network described above may bea single local area network or multiple local area networks connected asa wide area network. Further, the adaptive security algorithm describedabove may be applied to a single machine as well as a network.

What is claimed is:
 1. A method of passing a packet between a localnetwork and nodes outside of the local network, the method comprising:receiving the packet; identifying a first network layer address on thepacket that matches a second network layer address in an addresstranslation list specifying combinations of IP addresses of hosts on thelocal network with globally unique IP addresses from a pool of globallyunique IP addresses available for use by the hosts on the local network;translating the matching first network layer address on the packet to acorresponding third network layer address specified in the translationlist wherein a non-globally unique IP address of the host is translatedto one of said globally unique IP addresses available from the pool whenthe packet is sent from the local network and one of said globallyunique IP addresses identified as one from the pool is translated tosaid non-globally unique IP address of the host when the packet isdirected to the local network; and matching the packet against at leastone security criterion.
 2. The method of claim 1, wherein the packet isreceived at an interface of the local network.
 3. The method of claim 2,wherein the interface is located between the local network and theInternet.
 4. The method of claim 1, wherein a network layer addresstranslation system translates the network layer address on the packet.5. The method of claim 1, wherein the network layer address is adestination network layer address on the packet when the packet isdirected to the local network or a source network layer address on thepacket when the packet is sent from the local network.
 6. The method ofclaim 1, wherein the network layer address is a globally uniquedestination network layer address on the packet and the packet isdirected to the local network, and wherein the globally uniquedestination network layer address is translated to a network layeraddress of a host on the local network.
 7. The method of claim 1,wherein the network layer address is a source network layer address onthe packet and the packet is sent from the local network, and whereinthe source network layer address is translated to a globally uniquenetwork layer address.
 8. The method of claim 1, wherein the at leastone security criterion includes: (a) determining that the packetindicates that a data connection is to be opened, and (b) determiningwhether a control connection exists for the data connection.
 9. Themethod of claim 1, further comprising forwarding the packet to adestination if it meets the at least one security criterion.
 10. Themethod of claim 2, further comprising blocking transmission of thepacket to its destination if it does not meet the at least one securitycriterion.
 11. An apparatus configured to provide network connectionsbetween nodes on a local network and nodes outside the local network,the apparatus comprising: a processor; a memory in communication withthe processor; a collection of global IP addresses available to thenodes on the local network; an address translation list including atleast one translation, each specifying a local network layer address ofa local node and an associated global unique network layer address; anda firewall specifying at least one security criterion and configured toprotect the local network from packets that pose a security risk,wherein at least one of the processor and the memory is configured tomatch IP addresses in packets against IP addresses of entries in theaddress translation list, wherein non-globally unique IP address of thelocal node is matched to a globally unique IP address available from thecollection when the packet is sent from the local network and a globallyunique IP address identified as one from the collection is matched to anon-globally unique IP address of the local node when the packet isdirected to the local network.
 12. The apparatus of claim 11, wherein atleast one entry of the address translation list includes informationdefining a connection between said local node of the local network and aforeign host outside the local network.
 13. The apparatus of claims 11,further comprising an outside interface connected to an external networkand an inside interface connected to the local network.
 14. Theapparatus of claim 11, wherein the apparatus is a network deviceincluding a plurality of ports for communication with at least onenetwork medium, and associated logic controlling communications throughthe ports.
 15. The apparatus of claim 11, wherein the at least onesecurity criterion includes, when a packet indicates that a dataconnection is to be opened, determining whether a control connectionexists for the data connection.
 16. A machine readable medium on whichis stored instructions for passing a packet between a local network andnodes outside of the local network, the instructions specifying a methodcomprising: receiving the packet; identifying a first network layeraddress on the packet that matches a second network layer address in anaddress translation list specifying combinations of IP addresses ofhosts on the local network with globally unique IP addresses from a poolof globally unique IP addresses available for use by the hosts on thelocal network; translating the matching first network layer address onthe packet to a corresponding third network layer address specified inthe translation list, wherein a non-globally unique IF address of thehost is translated to one of said globally unique IP addresses availablefrom the pool when the packet is sent from the local network and one ofsaid globally unique IP addresses identified as one from the pool istranslated to said non-globally unique IP address of the host when thepacket is directed to the local network, and matching the packet againstat least one security criterion.
 17. The machine readable medium ofclaim 16, further comprising instructions for forwarding the packet to adestination if it meets the one or more security criteria.
 18. Themachine readable medium of claim 16, further comprising instructions forblocking transmission of the packet to its destination if it does notmeet the at least one security criterion.
 19. The machine readablemedium of claim 16, wherein the medium is a memory for use in a networklayer address translation system.
 20. The machine readable medium ofclaim 16, wherein the network layer address is a destination networklayer address on the packet when the packet is directed to the localnetwork or a source network layer address on the packet when the packetis sent from the local network.
 21. The machine readable medium of claim16, wherein the network layer address is a globally unique destinationnetwork layer address on the packet and the packet is directed to thelocal network, and wherein the globally unique destination network layeraddress is translated to a network layer address of a host on the localnetwork.
 22. The machine readable medium of claim 16, wherein thenetwork layer address is a source network layer address on the packetand the packet is sent from the local network, and wherein the sourcenetwork layer address is translated to a globally unique layer address.